Windows 10: Exploit Protection Intune Configuration Issues with Skype

Discus and support Exploit Protection Intune Configuration Issues with Skype in AntiVirus, Firewalls and System Security to solve the problem; Hello, I have an issue with Exploit Protection configuration with Intune and Microsoft Advanced Threat Protection ATP as it is closing out our users... Discussion in 'AntiVirus, Firewalls and System Security' started by Chan_437, Mar 31, 2020.

  1. Chan_437 Win User

    Exploit Protection Intune Configuration Issues with Skype


    Hello,

    I have an issue with Exploit Protection configuration with Intune and Microsoft Advanced Threat Protection ATP as it is closing out our users Skype application. The reason it closes is because of the way our Skype call recorder is integrated into Skype. In the ATP portal it shows that lync.exe Skype is making an Exploit Address Filter EAF violation. I have tested this by uninstalling the call recorder and Skype runs fine but once the recorder is installed I get EAF violations in the ATP incident list and Skype no longer opens.



    I found the setting to toggle in Windows Security settings > App and browser control > Exploit Protection > Program settings > lync.exe > Export address filtering > off. But once I apply this to the Intune policy XML it does not seem to take effect. XML config is at the bottom.



    I have found three locations where Exploit Guard or Exploit Protection can be configured:


    1. Devices > Configuration profiles > Endpoint protection policy > settings >MS Defender exploit guard > Exploit Protection > added XML config file

    Exploit Protection Intune Configuration Issues with Skype 8a9106f6-a813-473c-b2a9-37f1044c2dea?upload=true.png

    2 Endpoint security > Security Baseline > Windows 10 Security Baseline > properties > Exploit Guard > upload XML config file

    Exploit Protection Intune Configuration Issues with Skype db7cf524-4bf0-46ef-bcbd-aea478d08739?upload=true.png

    3 Endpoint security > Attack surface reduction > Policy type: Exploit protection > upload XML config file

    Exploit Protection Intune Configuration Issues with Skype 7338c9ce-b78c-4843-8795-a9c5da587707?upload=true.png


    Am I missing another location to configure this?



    I have uploaded the same XML file to the above three locations but it does not seem to overwrite the current XML configuration on my device or any user devices. I created the XML file by exporting my current Exploit Protection settings with Skype EAF to off.

    This snippet of the XML with EnableExportAddressFilter="true" is what turns EAF for lync.exe on. I have tried setting it to false or removing the line altogether but neither work.

    I am already working with MS on the issue but they are being very slow and I am trying to find a solution quickly. I am able to run the PS command

    "Set-ProcessMitigation -Name lync.exe -Disable EnableExportAddressFilter,EnableExportAddressFilterPlus" but EAF for Skype gets reverted when the computer is rebooted.



    Edited XML to only include lync.exe. This is what is currently uploaded. But once I upload and Sync my computer EAF stays on. I let it sit for 24 hours and it is still on.

    <?xml version="1.0" encoding="UTF-8"?>

    <MitigationPolicy>

    <AppConfig Executable="lync.exe">

    <DEP Enable="true" EmulateAtlThunks="false" />

    <ASLR ForceRelocateImages="true" RequireInfo="false" />

    <Payload EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" />

    </AppConfig>

    </MitigationPolicy>



    XML with EAF on for lync.exe

    <AppConfig Executable="LYNC.EXE">

    <DEP Enable="true" EmulateAtlThunks="false" />

    <ASLR ForceRelocateImages="true" RequireInfo="false" />

    <Payload EnableExportAddressFilter="true" EnableExportAddressFilterPlus="true" EnableImportAddressFilter="true" EnableRopStackPivot="true" EnableRopCallerCheck="true" EnableRopSimExec="true" />

    </AppConfig>



    Any ideas as to why EAF won't turn off?

    :)
     
    Chan_437, Mar 31, 2020
    #1

  2. Exploit Protection Settings

    The Exploit Protection settings are preconfigured; and home users should generally just leave them alone:



    The Use default configuration for each of the mitigation settings indicates our recommendation for a base level of protection for everyday usage for home users. Enterprise deployments should consider the protection required for
    their individual needs and may need to modify configuration away from the defaults.




    https://docs.microsoft.com/en-us/wi...er-exploit-guard/customize-exploit-protection



    Apply mitigations to help prevent attacks through vulnerabilities - Windows security



    The preconfigured applications have been optimized by Microsoft – and adding customizations for other apps requires both a rationale and an understanding of the potential consequences, since haphazardly changing the default settings for an app can
    easily render it dysfunctional.



    It’s ironic that these application mitigations are exposed in the Windows Defender Security Center interface, while the safe and simple Windows Defender configuration options are only available via the PowerShell Set-MpPreference command line:



    Set-MpPreference (defender)



    The Set-MpPreference cmdlet now also includes the parameters for Attack Surface Reduction and Block at First Sight:



    Windows Defender Detection rate
     
    GreginMich, Mar 31, 2020
    #2
  3. Edge Browser not listed on Exploit Protection

    When I open the Exploit Protection Program List, how come Edge browser processes are not listed?
    Or, is there another process name for MS Edge from the Exploit Protection Program List page?

    However, my guess is that since Edge runs in a Sandboxed protected mode by default, maybe perhaps it is not required to be on the Exploit Protection Programs List.
     
    win10freak, Mar 31, 2020
    #3
  4. Nikhar_K Win User

    Exploit Protection Intune Configuration Issues with Skype

    Intune User-driven upgrade issues

    Hi Brandan,



    Thank you for writing to Microsoft Community Forums.



    I understand you are facing issues while testing Intune autopilot feature for user-drive profile. I suggest you to refer the article

    Troubleshooting Windows Autopilot enrollment issues in Microsoft Intune
    and see if that helps.



    For additional information, you can refer the article
    Enroll Windows devices in Intune by using the Windows Autopilot
    .



    If the issue persists, I suggest you to post your query in
    TechNet forums
    , where we have a dedicated team with experts in Microsoft Intune to assist you with the appropriate troubleshooting steps.



    Regards,

    Nikhar Khare

    Microsoft Community - Moderator
     
    Nikhar_K, Mar 31, 2020
    #4
Thema:

Exploit Protection Intune Configuration Issues with Skype

Loading...
  1. Exploit Protection Intune Configuration Issues with Skype - Similar Threads - Exploit Protection Intune

  2. exploit protection settings and smartscreen off

    in AntiVirus, Firewalls and System Security
    exploit protection settings and smartscreen off: Hello,Today i checked my windows security and it said that almost every expoit protection setting was off, while i did not turn them off. It also says that smartscreeen is disabled and i cant turn it back on and it says that its managed by my administrator.Does anyone know...
  3. Exploit Protect/System Settings

    in AntiVirus, Firewalls and System Security
    Exploit Protect/System Settings: Hey there!I just have a simple question to ask, nothing too technical.I was just wondering for the sake of knowledge and education,what is the difference between, "Use default On" vs "On by default" in the exploit protection settings?If you can explain, can you do so in...
  4. Is This Normal? Exploit Protection.

    in AntiVirus, Firewalls and System Security
    Is This Normal? Exploit Protection.: Earlier this week I noticed strange activity on my network and my personal laptop, particularly. I am running Windows 10 Home Version: 2004 OS Build 19041.572 I stumbled upon the Exploit Protection settings accidentally. Everything was turned off. As in, every app, every...
  5. exploit protection prgram settings

    in AntiVirus, Firewalls and System Security
    exploit protection prgram settings: what would the default for exploit protection prgram settings look like? https://answers.microsoft.com/en-us/protect/forum/all/exploit-protection-prgram-settings/e1a72e2b-5556-4831-b4e8-4263db95898a
  6. Exploit protection windows 10

    in AntiVirus, Firewalls and System Security
    Exploit protection windows 10: There are four programs with system overrides enabled. ExtExport.exe, ie4uinit.exe, ieinstall.exe and ielowutil.exe. "Force randomization for images Mandatory ASLR" All four have override checked and are set to on. All the system settings are set at default. Web searches......
  7. Exploit protection settings

    in AntiVirus, Firewalls and System Security
    Exploit protection settings: 1. I do not understand the "System settings" options under EXPLOIT PROTECTION in Windows Defender set up section. What does "Use default on vs. "On by default mean? What is the safest? 2, What is SEHOP? What is "heap integrity" What is "High-entropy ASLR...
  8. Edge Browser not listed on Exploit Protection

    in AntiVirus, Firewalls and System Security
    Edge Browser not listed on Exploit Protection: When I open the Exploit Protection Program List, how come Edge browser processes are not listed? Or, is there another process name for MS Edge from the Exploit Protection Program List page? However, my guess is that since Edge runs in a Sandboxed protected mode by default,...
  9. Windows Defender Exploit Protection problem

    in AntiVirus, Firewalls and System Security
    Windows Defender Exploit Protection problem: Hi guys, For some strange reason my System settings tab is not there in my Exploit Protection settings, only Program settings is visible. Any suggestions on what is happening? 106098
  10. Intel Issues Updates to Protect Systems from Security Exploits

    in Windows 10 News
    Intel Issues Updates to Protect Systems from Security Exploits: Intel and Its Partners Have Made Significant Progress in Deploying Updates as Software Patches and Firmware Updates SANTA CLARA, Calif., Jan. 4, 2018 — Intel has developed and is rapidly issuing updates for all types of Intel-based computer systems — including personal...